<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Eol - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/eol/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 12 Jul 2026 06:20:21 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/eol/feed.xml" rel="self" type="application/rss+xml"/><item><title>Trendnet TEW-635BRM Web Service Stack-based Buffer Overflow Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15480/</link><pubDate>Sun, 12 Jul 2026 06:20:21 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15480/</guid><description>CVE-2026-15480 describes a stack-based buffer overflow vulnerability in the Trendnet TEW-635BRM router firmware, specifically in the start_httpd function within the /sbin/rc component's Web Service, which can be exploited remotely by manipulating the 'device_name' argument, potentially leading to arbitrary code execution; an exploit is publicly available, but the product is End-of-Life (EOL) since 2011, and the vendor advises users to switch devices.</description><content:encoded><![CDATA[<p>CVE-2026-15480 details a critical stack-based buffer overflow vulnerability affecting Trendnet TEW-635BRM router firmware versions up to 1.00.03. The flaw resides within the <code>start_httpd</code> function of the <code>/sbin/rc</code> component's Web Service. Threat actors can remotely exploit this vulnerability by sending specially crafted HTTP requests that manipulate the <code>device_name</code> argument. Such manipulation leads to a buffer overflow, which can result in arbitrary code execution on the affected device. While a public exploit is available, the affected product has been End-of-Life (EOL) since 2011, meaning no official patches will be released. The vendor explicitly recommends that users replace these devices due to the confirmed vulnerability and lack of support. This vulnerability poses a significant risk to organizations still utilizing these legacy devices, as successful exploitation grants attackers full control.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated remote attacker sends a specially crafted HTTP request to the vulnerable Trendnet TEW-635BRM router.</li>
<li>The HTTP request targets the device's Web Service component, which is responsible for handling web-based management.</li>
<li>The attacker includes an overly long or malformed value in the <code>device_name</code> argument within the HTTP request.</li>
<li>The vulnerable <code>start_httpd</code> function, located in the <code>/sbin/rc</code> file, processes the manipulated <code>device_name</code> argument.</li>
<li>Due to insufficient bounds checking, the function attempts to write the oversized input into a fixed-size buffer on the stack, leading to a stack-based buffer overflow.</li>
<li>The overflow corrupts adjacent memory regions, allowing the attacker to overwrite critical data structures, including return addresses.</li>
<li>By carefully controlling the overflow content, the attacker redirects the execution flow to their injected malicious code.</li>
<li>Successful exploitation results in arbitrary code execution with the privileges of the web service, granting the attacker full control over the router.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-15480 grants unauthenticated remote attackers arbitrary code execution capabilities on affected Trendnet TEW-635BRM routers. Given that these devices are End-of-Life (EOL) and will not receive patches, any organization still using them faces a permanent and critical security risk. Attackers could gain complete control over the compromised router, enabling them to intercept or redirect network traffic, use the device as a pivot point into the internal network, launch further attacks, or incorporate the device into botnets. While no specific victim counts are provided, the public availability of an exploit means that any exposed, unreplaced device is a potential target.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Decommission or Isolate Device:</strong> Immediately decommission any Trendnet TEW-635BRM routers (CVE-2026-15480) given their End-of-Life status and the absence of patches. If decommissioning is not immediately feasible, isolate these devices from critical networks.</li>
<li><strong>Replace Hardware:</strong> Replace all affected Trendnet TEW-635BRM routers with currently supported and patched network hardware.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>network</category><category>vulnerability</category><category>router</category><category>buffer-overflow</category><category>rce</category><category>eol</category></item></channel></rss>